Curl: Vulnerabilities fixed in Version 8.4.0

Curl released version 8.4.0 fixing two vulnerabilities from 8.3.0 [1]. Curl is used in Airlock Gateway and Airlock Microgateway 3.x for back-end HTTP connection handling.

No action required for Airlock Gateway and Airlock Microgateway

Details:

CVE-2023-38545

The reported CVE describes a bug in curl that may cause a buffer overflow when curl is asked to forward a very long hostname to a SOCKS5 proxy [2]. Airlock Gateway can be configured to use a SOCKS5 back-end proxy in the SG expert settings. However, the hostname used in the curl request to the back-end is not directly taken from the request, but instead selected from the list of configured back-end hosts. Thus, an outside attacker cannot exploit this vulnerability.

CVE-2023-38546

This vulnerability may allow an attacker to perform a cookie injection attack if certain specific conditions are met [3]. Two of the necessary conditions are calling the function 'curl_easy_duphandle' and the presence of a file called 'none'. Airlock Gateway uses its own cookie store and sets the cookies manually for each request. It does not call curl_easy_duphandle, nor is there a file called 'none' that could be read and inject cookies.